Add ferm installation instructions

06_firewall_ferm.md

@@ -0,0 +1,139 @@
+# Firewall setup (iptables) with ferm
+* https://www.lullabot.com/articles/convincing-docker-and-iptables-play-nicely
+
+* `sudo apt install ferm`
+* select no on the prompt if it should be enabled at boot
+* `sudo vim /etc/ferm/ferm.conf`
+```
+# /etc/ferm/ferm.conf
+
+# Default rules
+domain (ip ip6) {
+    table filter {
+        # Default Policies
+        chain INPUT {
+            policy DROP;
+
+            # respond to ping
+            proto icmp ACCEPT; 
+
+            # allow SSH connections
+            proto tcp dport ssh ACCEPT;
+        }
+
+        chain OUTPUT policy ACCEPT;
+
+        # loopback traffic
+        chain INPUT interface lo ACCEPT;
+        chain OUTPUT outerface lo ACCEPT;
+
+        chain (INPUT OUTPUT) {
+            # connection tracking
+            mod state state INVALID DROP;
+            mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
+        }
+    }
+}
+
+# Local rules
+@include ferm.d/;
+```
+
+* `sudo vim /etc/ferm/ferm.d/00-docker.ferm`
+```
+# /etc/ferm/ferm.d/00-docker.ferm
+
+domain (ip ip6) {
+    table filter {
+        chain (DOCKER DOCKER-INGRESS DOCKER-ISOLATION-STAGE-1 DOCKER-ISOLATION-STAGE-2 FORWARD) @preserve;
+    }
+
+    table nat {
+        chain (DOCKER DOCKER-INGRESS PREROUTING OUTPUT POSTROUTING) @preserve;
+    }
+}
+
+```
+
+* `sudo vim /etc/ferm/ferm.d/20-in.ssh.ferm`
+* **is in default, not necessary**
+```
+domain (ip ip6) {
+    table filter chain INPUT proto tcp dport 22 ACCEPT;
+}
+```
+
+* `sudo vim /etc/ferm/ferm.d/20-in.docker.nginx.ferm`
+```
+domain (ip ip6) {
+    table filter chain DOCKER-USER
+
+    # Incoming traffic bound for a docker service will come in
+    # to the FORWARD chain on eth0 and exit on docker_gwbridge
+    interface eth0 outerface docker_gwbridge
+
+    # The destination port here is the port listening IN THE DOCKER CONTAINER
+    # Often times that is the same as the host port, but not always
+    proto tcp dport (80 443)
+
+    ACCEPT;
+}
+```
+
+* `sudo vim /etc/ferm/ferm.d/20-in.docker.mailcow.ferm`
+```
+domain (ip ip6) {
+    table filter chain DOCKER-USER
+
+    # Incoming traffic bound for a docker service will come in
+    # to the FORWARD chain on eth0 and exit on docker_gwbridge
+    interface eth0 outerface docker_gwbridge
+
+    # The destination port here is the port listening IN THE DOCKER CONTAINER
+    # Often times that is the same as the host port, but not always
+    proto tcp dport (25 465 587 143 993 110 995 4190)
+
+    ACCEPT;
+}
+```
+
+* `sudo vim /etc/ferm/ferm.d/20-in.docker.ts3.ferm`
+```
+domain (ip ip6) {
+    table filter chain DOCKER-USER
+
+    # Incoming traffic bound for a docker service will come in
+    # to the FORWARD chain on eth0 and exit on docker_gwbridge
+    interface eth0 outerface docker_gwbridge
+
+    # The destination port here is the port listening IN THE DOCKER CONTAINER
+    # Often times that is the same as the host port, but not always
+    proto tcp dport (10011 30033)
+
+    ACCEPT;
+}
+
+domain (ip ip6) {
+    table filter chain DOCKER-USER
+
+    interface eth0 outerface docker_gwbridge
+
+    proto udp dport (9987 9988)
+
+    ACCEPT;
+}
+```
+
+* `/etc/ferm/ferm.d/99-docker.ferm`
+```
+domain (ip ip6) table filter chain DOCKER-USER {
+    interface eth0 outerface docker_gwbridge {
+        mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
+        DROP;
+    }
+    RETURN;
+}
+```
+
+* edit /etc/default/ferm to enable it
+* sudo systemctl enable ferm